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Encryption method, encryption apparatus, recording method, decoding 
method, decoding apparatus and recording medium 

Claims of corresponding document: EP0768774 

1. A method of encrypting predetermined information by using a predetermined 
encryption key comprising the steps of: 

hierarchizing said encryption key by using a one-way function; and 

decoding said predetermined information by using said hierarchized encryption 

key. 

2. A method as claimed in claim 1, in which a first hierarchized encryption key of 
said hierarchized encryption keys is a master key. 

3. A method as claimed in claim 1, in which specific information is encrypted by 
using said hierarchized encryption key. 

4. A method of recording predetermined encrypted information on a recording 
medium comprising the steps of: 

receiving predetermined information encrypted by using an encryption key 
hierarchized by a one-way function; and 

recording said encrypted predetermined information on said recording medium. 

5 A method according to claim 4, further comprising the steps of receiving specific 
information encrypted by using said encryption key and recording said encrypted 
specific information on said recording medium together with said encrypted 
predetermined information. 

6. A method of decoding encrypted predetermined information comprising the steps 
of: 

receiving encrypted predetermined information; and 

decoding said encrypted predetermined information by using a decoding key 
responding to an encryption key hierarchized by using a one-way function. 



cor 



7 A method as claimed in claim 6, in which a first hierarchized encryption key of 
said hierarchized encryption keys is a master key and a decoding key corresponding 
to an encryption key is generated from said master key by using said one-way 
function. 

8 A method according to claim 6, further comprising the steps of receiving 
encrypted specific information, determining a decoding key corresponding to an 
encryption key, which encrypts said received encrypted predetermined information 
from specific information, encrypted specific information and information used to 
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determine a decoding key corresponding to an encryption key, and decoding said 
' encrypted predetermined information by using a determined decoding key. 

9 A method as claimed in claim 8, in which said information for determining said 
decoding key corresponding to said encryption key is information of master key or 
information of latest encryption key. 

10 A method as claimed in claim 8, in which said step for determining said 
decoding key corresponding to said encryption key comprises the steps of: 

(a) decoding said encrypted predetermined information by using said information 
for determining a decoding key corresponding to an encryption key; and 
comparing decoded specific information and said specific information and 
determining a decoding key corresponding to an encryption key based on a 
compared result. 

1 1 A method as claimed in claim 10, in which if it is determined that said decoded 
specific information and said specific information agree with each other, then 
present information for determining a decoding key corresponding to an encryption 
key is a decoding key for decoding encrypted predetermined information and it it 
is determined that said decoded specific information and said specific information 
do not agree with each other, then present information for determining a decoding 
key corresponding to an encryption key is hierarchized by using a one-way function 
and a decoding key corresponding to an encryption key is determined by repeating 
said steps (a) and (b). 

12 A method as claimed in claim 6, in which said encrypted predetermined 
information is recorded on a recording medium, said encrypted predetermined 
information is read out from said recording medium and supplied, and said 
encryption key is printed on said recording medium or a case for storing said 
recording medium in the form of characters, numerals, bar code or hologram 
corresponding to said encryption key. 

13 A method as claimed in claim 6, in which said encryption key is inserted into a 
predetermined software for decoding encrypted predetermined information as a 
code corresponding to said encryption key. 

14. A method as claimed in claim 6, in which said encryption key is supplied 
through a telephone line network or a network. 

15. An apparatus for decoding predetermined information by using a predetermined 
encryption key comprising: 

means for generating encryption keys by hierarchizing encryption keys by using a 
one-way function; and . . , 

means for decoding said predetermined information by using said hierarchized 

encryption keys. 



16. An apparatus as claimed in claim 15, in which a first hierarchized encryption 
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key of said hierarchized encryption keys is a master key. 

17. An apparatus according to claim 15, further comprising means for encrypting 
specific information by using said hierarchized encryption keys. 

1 8 .An apparatus for decoding encrypted predetermined information comprising: 

means for receiving said encrypted predetermined information; and 

means for decoding said encrypted predetermined information by using a decoding 

key corresponding to encryption keys hierarchized by using a one-way function. 

19 An apparatus according to claim 18, further comprising a first memory for 
storing information used to determine a decoding key corresponding to said 
encryption key, means for generating a decoding key corresponding to an 
encryption key from said master key by using a one-way function and a second 
memory for storing a decoding key corresponding to said generated encryption key 
and wherein information for determining a decoding key corresponding to said 
encryption key is a master key which is a first hierarchized encryption key of said 
hierarchized keys. 

20 An apparatus according to claim 18, further comprising means for receiving 
encrypted specific information and wherein said generating means determines a 
decoding key corresponding to an encryption key which encrypts said received 
encrypted predetermined information from specific information, encrypted specific 
information and information for determining a decoding key corresponding to an 
encryption key and said decoding means decodes said encrypted predetermined 
information by using a determined decoding key. 

2 1 An apparatus as claimed in claim 20, in which said information for determining 
a decoding key corresponding to an encryption key is information of master key or 
information of a latest encryption key. 

22. An apparatus as claimed in claim 21, in which said generating means decodes 
said encrypted predetermined information by using said information for 
determining a decoding key corresponding to an encryption key, compares decoded 
specific information and said specific information and determines a decoding key 
corresponding to an encryption key based on a compared result. 

23 An apparatus as claimed in claim 22, in which if it is determined that said 
decoded specific information and said specific information agree with each other, 
then said generating means determines that present information for determining a 
decoding key corresponding to an encryption key is a decoding key for decoding 
encrypted predetermined information and stores said decoding key in said second 
memory and if it is determined that said decoded specific information and said 
specific information do not agree with each other, then said generating means 
hierarchizes present information for determining a decoding key corresponding to 
said encryption key by using a one-way function and determines a decoding key 
corresponding to an encryption key by repeating operations claimed in claim 22. 

24.An apparatus as claimed in claim 19, in which said first memory, said second 
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memory, said generating means and said decoding means are disposed within a 
single IC chip. 

25 An apparatus as claimed in claim 24, in which said information for determining 
a decoding key corresponding to said encryption key is previously stored m said 
first memory. 

26 A recording medium decodable by a decoding apparatus, in which said 
recording medium includes a recording signal decodable by said decoding 
apparatus and said recording signal contains predetermined information encrypted 
by encryption keys hierarchized by using a one-way function. 

27 A recording medium as claimed in claim 26, in which said recording signal 
further includes specific information encrypted by using said encryption key. 

28 A recording medium as claimed in claim 26, in which said encryption key is 
printed on said recording medium in the form of characters, numerals, bar code or 
hologram corresponding to said encryption key. 
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Encryption method, encryption apparatus, recording method, decoding 
method, decoding apparatus and recording medium 

Description of corresponding document: EP0768774 

This invention relates to encrypting information (such as software or data), 
recording encrypted information, decoding encrypted information, and record 
media in which information is recorded. A preferred form of implementation of the 
invention described hereinbelow provides a method of and apparatus for encrypting 
software or data, an apparatus for decoding encrypted software or data, a method of 
ecording encrypted software or data, a method of decoding encrypted software or 
data an apparatus for decoding encrypted software or data and a recording medium 
for use in preventing illegal use of software or data recorded on a recording 
medium such as a digitafvideo disk or software or data supplied through a network. 

In order to prevent illegal use of software or data, it is customary that software or 
data is encrypted by use of predetermined encryption keys and encrypted software 
or data is recorded on a digital video disk (hereinafter simply referred to a DVD ) 
or supplied through a network to thereby provide encrypted software or data. The 
encrypted software or data recorded on the DVD or the encrypted software or data 
supplied through the network is decoded by the encryption keys provided 
separately. 

The manner in which information is encrypted and decoded will be described 
below in brief. 

FIG. 1 of the accompanying drawings shows a principle by which information or 
data is encrypted and decoded. 

A sender encrypts (101) plain text M (information to be transmitted) by using an 
encryption key K 1 to provide cipher text C (data to be transmitted in actual 
prac ice) Thedpher text C is transmitted to a receiver and the receiver decodes 
(1 09) the cipher text C by using a decoding key K2 to provide plain text M. In this 
wav plain text is transmitted from the sender to the receiver. It is frequently 

! tSose who have no decoding key (i.e., « = 
text C and decodes (103) cipher text C. The manner in which those who have a 
decoding key generate plain text M from cipher text C is generally 
"decoding" while those whose have no decoding key wiretap cipher text C and get 
plain text M from cipher text C is referred to as "decryption". 

However, when plain text is encrypted by the above-mentioned enc 7 P ^ t ^' for 
once the encryption key is decrypted, such encryption key becomes ineffective foi 
preventing illegal use. Therefore, when the encryption key is decrypted the 
encryp on key is updated to new one and software or data is encrypted by using 
sucli updated encryption key, thereby preventing illegal use of software or data. 

However, in actual practice, even when the encryption key is updated it is 
freely observed that there exist encrypted software or data encrypted by the 
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previous encryption key. Therefore, the previous key for decoding such software or 
data has to be retained. As a consequence, each time the encryption key is updated, 
encryption keys to be retained are increased, and the hardware and the software 
both face problems of managing the retained encryption keys. 

When the encryption key is previously assembled from a hardware standpoint, it is 
sometimes very difficult to update such encryption keys into new ones. 

According to a first aspect of the present invention, there is provided a method of 
encrypting predetermined information by using a predetermined encryption key 
which comprises the steps of hierarchizing the encryption key by using a one-way 
function and decoding the predetermined information by using the hierarchized 
encryption key. 

According to a second aspect of the present invention, there is provided a method 
of recording predetermined encrypted information on a recording medium which 
comprises the steps of receiving predetermined information encrypted by using an 
encryption key hierarchized by a one-way function and recording the encrypted 
predetermined information on the recording medium. 

According to a third aspect of the present invention, there is provided a method of 
decoding encrypted predetermined information which comprises the steps of 
receiving encrypted predetermined information and decoding the encrypted 
predetermined information by using a decoding key corresponding to an encryption 
key hierarchized by using a one-way function. 

According to a fourth aspect of the present invention, there is provided an apparatus 
for decoding predetermined information by using a predetermined encryption key 
which is comprised of means for generating encryption keys by hierarchizing 
encryption keys by using a one-way function and means for decoding the 
predetermined information by using the hierarchized encryption keys. 

According to a fifth aspect of the present invention, there is provided an apparatus 
for decoding encrvpted predetermined information which is comprised of means tor 
receiving the encrypted predetermined information and means tor decoding the 
encrypted predetermined information by using a decoding key corresponding to 
encryption keys hierarchized by using a one-way function. 

In accordance with a sixth aspect of the present invention, there is provided a 
recording medium decodable by a decoding apparatus. The recording medium 
includes a recording signal decodable by the decoding apparatus and the recording 
signal contains predetermined information encrypted by encryption keys 
hierarchized by using a one-way function. 

The preferred form of implementation of the invention described hereinbelow 
provides an encryption method, an encryption apparatus, a recording method, a 
decoding method, a decoding apparatus and a recording medium in which 
encryption keys can be managed with ease by hierarchizing encryption keys. 

The invention will now be further described, by way of illustrative and non-limiting 
example, with reference to the accompanying drawings, in which: 
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FIG. 1 is a schematic diagram showing a principle by which software or data is 
encrypted and encrypted software or data is decoded; 

FIG. 2 is a schematic diagram showing an example of a hierarchial structure of 
encryption keys which can be applied to an encryption method embodying the 
present invention; 

FIG. 3 is a flowchart illustrative of a manner in which a DVD on which encrypted 
information is recorded is made; 

FIG. 4 is a schematic diagram showing a DVD on which there are recorded 
encrypted magic key and encrypted information; 

FIG. 5 is a block diagram showing an example of an encryption apparatus 
embodying the present invention; 

FIG. 6 is a block diagram showing an. example of an IC chip 1 1 for decoding 
information recorded on the DVD shown in FIG. 4; 

FIG. 7 is a flowchart to which reference will be made in explaining operation of the 
IC chip 1 1 shown in FIG. 6; 

FIG. 8 is a flowchart to which reference will be made in explaining the detail of a 
step S12 shown in FIG. 7; 

FIG. 9 is a flowchart to which reference will be made in explaining the detail of the 
step S 12 shown in FIG. 7; 

FIG. 10 is a schematic diagram used to explain a manner in which encryption keys 
are printed on DVDs and distributed; 

FIG. 1 1 is a schematic diagram used to explain a manner which an encryption key 
is inserted into decoding software and distributed; and 

FIG. 12 is a schematic diagram used to explain a manner in which an encryption 
key is incorporated into an integrated circuit and distributed. 

Embodiments of the invention will now be described with reference to the 
drawings. 

FIG. 2 is a schematic diagram showing a manner in which encryption keys are 
hierarchized to which an encryption method embodying the present invention is 
applied. 

As shown in FIG. 2, an encryption key Kl of the next hierarchy (Ver.n) is formed 
relative to an encryption key of the first hierarchy (master key) K0 by using a so- 
called one-way function) F. The one-way function F is one of so-called one-way 
functions and carries out an irreversible calculation in which the encryption key Kl 
can be easily calculated from the encryption key K0 but the reverse calculation 
cannot be performed substantially, i.e., the encryption key K0 cannot be 
substantially calculated from the encryption key Kl. 

On the other hand, as the one-way function, there may be used encryption 
algorithm such as Data Encryption Standard (DES, National Bureau of Standards 
FIPS Publication 46, 1977), Fast Encryption Algorithm (FEAL, S. Miyaguchi. The 
FEAL cipher family. Lecture Notes in Computer Science, 537 (1001), pp. 627 to 
638 (Advances in Cryptology - CRYPTO '90) or a message digest algorithm such 
as Message Digest algorithm (MD4, R. L. Rivest. 537 (1001), pp. 303 to 311. 
(Advances in Cryptology - CRYPTO '90) or Secure Hash Standard (SHS, Secure 
Hash Standard, National Bureau of Standards FIPS Publication 180, 1993). DES 
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and FEAL were described in detail in "Cipher and Information Security by isujn 
and Kasahara, July 1993". 

Subsequently, the one-way function will be described in detail with reference to 
examples. 

In the case of DES, the one-way function and the DES have therebetween 
established a relationship expressed by the following equation (1): 
"(1)" F(k) = DES(IV, k) 

where IV is the Initial Vector and arbitrary and k is the key. 

Moreover, as algorithm used in one-way function, there may be used the following 
ones: 

Block cipher (product cipher)-based algorithm; and 
Arithmetic algorithm 

The block cipher (product cipher)-based algorithm can obtain cipher text by 
encrypting plain text by using a key as expressed by the following equation (2): 

"(2)" C = Enc (P, k) • 
where C is the cipher text, p is the plain text, and k is the key. 

Specifically, a bit string of fixed length is obtained by effecting irreversible 
transform on the key by a certain kind of hash function at every block. 

Then, the plain text is processed by permutation box or substitution box for 
substituting data or the like several rounds. In each round, the plain text is 
processed by a certain calculation with the bit string obtained from the key, e.g., 
logical calculation of exclusive-OR. 

The arithmetic algorithm is used in a problem of discrete logarithm as expressed by 
the following equation (3): 

"(3)" F(k) <==> ak mod p . 

where a is the predetermined constant, k is the key and p is the prime number. 

In the above equation (3), symbol "<==>" means " definition". 

Specifically, function F(k) is defined as "remainder which results from dividing 
product multiplied with k by p". In this case, the function F(k) can be obtained from 
the key (k) with ease but it is very difficult to obtain the key (k) from the function F 
(k). 

As described above, after the encryption key Kl was obtained from the master key 
by using the one-way function (F), encryption keys K2, K3, Kn-1, Kn aie 
sequentially calculated by using the one-way function (F) as expressed by the 
following equation (4), thereby resulting in hierarchized encryption keys (Ver.n 
through Ver.l) being formed: 
"(4)" ki = F(Ki-l) 
where i = 1, 2, 3, n) 
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The numerical value n is the sufficient number of hierarchies (number of 
generations). 

Accordingly, although new encryption keys can be calculated with ease by using 
the one-way function (F) as described above, the reverse calculation cannot be 
carried out substantially, i.e., the original key cannot be calculated substantially 
from the encryption keys by using the one-way function (F). 

A method of encrypting information such as software or data and providing 
encrypted information to the user embodying the present invention will be 
described below. When information such as software or data is encrypted and 
provided to the user, as shown in FIG. 2, information is initially encrypted by using 
the encryption key Kn (Ver.l) and the encrypted key Kn is distributed to the user in 
the formed of either being attached to the encrypted information or being supplied 
separately. The user can decode the encrypted information by using the encryption 
key Kn. 

When this encryption key Kn is decrypted, information such as software or data is 
encrypted by the encryption key Kn- 1 of higher hierarchy (Ver.2) and the 
encryption key Kn-1 is distributed to the user. Similarly, each time an encryption 
key is decrypted, information is encrypted by using an encryption key of higher 
hierarchy and the encrypted key is distributed to the user. 

The encryption key Kn of lowest hierarchy (Ver.l) initially distributed is calculated 
from the encryption key Kn-1 of the next hierarchy by using the function (F). 
Specifically, the encryption key Kn can easily be calculated by using^he function 
(F) and information encrypted by the encryption key Kn can be decoded by using 
the encryption key Kn calculated from the encryption key Kn-1. Accordingly, since 
the encryption key is calculated from the encryption key of the next hierarchy by 
using the function (F), the next encryption key can be calculated by using the 
function (F) in any generation. Therefore, if the user retains the latest encryption 
key which is not decrypted, then the user can decode not only information 
encrypted by the latest encryption key but also information encrypted by a previous 
encryption key. Moreover, all encryption keys are keys that are sequentially 
generated from the master key by using the one-way function F). Accordingly if 
tlie user retains the master key instead of the latest enciyption key which is not 
decrypted, then the user can decode information encrypted by all encryption keys. 
Thus, the encryption keys can be managed with ease. 

FIG 3 is a flowchart used to explain a manner in which information (plain text) 
such as moving image, sounds, data or software is encrypted and recorded on a 
recording medium such as a disk (e.g., DVD and hereinafter referred to as DVD ), 
for example, by using the encryption keys shown m FIG. 2. 

Referring to FIG. 3, following the start of operation, an encryption key of a proper 
generation (hierarchy) is selected from hierarchized enciyption keys shown m FIG. 
2 at a step SI and the selected encryption key is set to a work key Then, control 
goes to a step S2, wherein a string of predetermined numerals and characters is set 
to a magic number, the magic number is encrypted by the work key obtained at the 
step SI and the encrypted magic number obtained by the encryption is recorded on 
a predetermined portion of a DVD 1 as shown in FIG. 4, for example. 
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Thereafter, control goes to a step S4, whereat encrypted data, i.e., plain text data is 
encrypted by using the work key and encrypted data (cipher text) is recorded on a 
predetermined portion of the DVD 1 as shown in FIG. 4. 

An encryption apparatus corresponding to the above-mentioned encryption method 
will be described with reference to FIG. 5. 

As shown in FIG. 5, plain text data and magic number are supplied to terminals 60 
and 70 respectively. The plain text data and the magic number from the terminals 
60 70 are respectively supplied to corresponding encryption circuits 51, 52. Ihe 
magic number is the string of predetermined numerals and characters as described 
above. A work key generating circuit 53 selects an encryption key of a proper 
generation (hierarchy) from the hierarchized encryption keys shown in FIG. 2 and 
supplies the selected encryption key to the encryption circuits 51, 52 as a work key. 
The encryption key 52 encrypts the supplied magic number by using the work key 
supplied thereto from the work key generating circuit 53. Then, encrypted magic 
number thus obtained by encryption is supplied to a recording apparatus 5 4 The 
encryption circuit 51 encrypts the supplied plain text data by using the work key 
and supplies the encrypted information to the recording apparatus 54. The 
recording apparatus 54 records the encrypted information and the encrypted magic 
information on the predetermined positions of the DVD 1 as shown in FIG. 4. 

If the recording apparatus 54 is a formatter for generating a master disk, then a 
stamper is formed from the master disk and a large number of disks are produced 
by using such stamper. 

FIG 6 is a block diagram showing an IC chip for decoding encrypted information 
recorded on the DVD 1 in a disk player (DVD player and hereinafter referred to as 
"DVD player") for playing back the thus made DVD 1 . Magic number, encrypted 
magic number and encrypted information(cipher text) are inputted to an IC chip 11. 
Th?encrypted magic number is supplied from the DVD 1, the magic number is 
stored in a memory (not shown) of the DVD player itself and supplied from such 
memory. This magic number is a string of predetermined numerals and characters. 
This magic number is the same as that used in the encryption side. 

A memory 12 stores the encrypted key K0 shown in FIG. 2, i.e., master key. A 
register 13 stores an encryption key of a predetermined generation obtained by 
using the above function (F) relative to the master key, i.e., work key as will be 
described later on. A decoding circuit 14 generates a work key based on the 
inputted magic number, the encrypted magic number and the master key read out 
from the memory 12 and supplies the thus formed work key to the register 3 as 
will be described later on. The decoding circuit 14 decodes the inputted and 
encrypted information (cipher text) by using the work key and outputs the decoded 
data as plain text data (plain text). 

The manner in which the encrypted data recorded in the DVD 1 within the IC chip 
1 1 is decoded will be described with reference to a flowchart ot MO. /. 

Referring to FIG. 7, following the start of operation, in a step S I 1 the encrypted 
magic number is read out from the predetemiined position of the DVD 1. I hen, 
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control goes to a step SI 2, whereat a work key is obtained trom tne encrypceu 
magic number read out at the step SI and the magic number read out from the 
memory (not shown) of the DVD player itself as will be described later on with 
reference to a flowchart of FIG. 8. 

FIG. 8 is a flowchart used to explain the processing at the step S12 in FIG. 7 more 
in detail. 

Referring to FIG. 8, following the start of operation, initially, at a step S21, a 
master key is read out from the memory 12 of the IC chip 1 1 and set to a selection 
key (k). Then, this selection key (k) is supplied to the decoding circuit 14. The 
selection key (k) expresses an encryption key that is selected at present. 

As shown in FIG. 8, control goes to the next decision step S22, whereat the magic 
number and the encrypted magic number are supplied to the decoding circuit 14 
and thereby the encrypted magic number is decoded by using the selection key (k). 
Then, it is determined at the decision step S22 whether or not the result which 
results from decoding the encrypted magic number by the selection key (k) agrees 
with the magic number. If the decoded result and the magic number which is not 
encrypted do not agree with each other as represented by a NO at the decision step 
S22, then it is determined that this selection key is not the encryption key which 
encrypts the encrypted magic number on the encryption side.Then, control goes to a 
step S23, whereat an encryption key of the next generation is calculated from the 
selection key (k) by using the one-way function (F) as expressed by the following 
equation (5) and set to a new selection key (k): 
"(5)" k = F(k) 

Then, control goes back to the step S22 and the similar processing is executed 
repeatedly. 

If on the other hand the result which results from decoding the encrypted magic 
number by the selection key (k) and the magic number which is not encrypted agree 
with each other as represented by a YES at the decision step S22, then it is 
determined that the selection key (k) is the encryption key which encrypts the 
encrypted magic number. Then, control goes to a step S24, wherein the decoding 
circuit 14 selects this selection key (k) as a work key and supplies this selection key 
(k) to the register 13, in which it is registered. Then, processing in the flowchart of 
FIG. 8 is ended and control goes back to the processing of the flowchart of FIG. 7. 

Thereafter, control goes to a step S13 in the flowchart of FIG. 7, whereat the 
decoding circuit 14 reads out the work key obtained at the step S 12 (steps S21 to 
S24 shown in FIG. 8) from the register 13, decodes the encrypted information 
(cipher text) inputted to the decoding circuit 14 by using the work key and outputs 
the decoded information as plain text data (plain text). 

As described above, since the IC chip 1 1 obtains the work key corresponding to the 
encrypted information from the master key and decodes the inputted encrypted 
information by using this work key, if the user retains only this master key, then the 
user can decode information encrypted by an encryption key of any hierarchy. 
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When the above-mentioned processing is carried by a software of computer, the 
' processing at the step S12 of FIG. 7 is replaced with a flowchart shown in FIG. 9. 
FIG. 9 is a flowchart showing a manner in which encrypted information is decoded 
in a computer which realizes the function shown in FIG. 6 by software. In this case, 
the computer incorporates therein a decoding board corresponding to FIG. 6 and 
software is memorized in a memory of such decoding board. Moreover, in this 
case, a master key that is previously stored in the memory is not used but a latest 
encryption key (or may be a master key) to be distributed is used. 

As will be described later on with reference to FIG. 10, for example, the user inputs 
an encryption key (Ki) (where i represents any one of n, n-1, 1) of a 
predetermined hierarchy distributed in the form of being printed on the DVD 
through a keyboard to a computer. Such encryption key is memorized in a 
predetermined memory disposed within the computer. Alternatively, the computer 
receives the latest encryption key distributed through a telephone network line or a 
network and stores a predetermined memory (e.g., RAM (random-access 
memory)). 

Referring to FIG. 9, following the start of operation, at a first step S31, inputted 
encryption key (Ki) of a predetermined hierarchy is read out from the memory and 
set to a selection key (k). The selection key (k) expresses an encryption key 
selected at present similarly as described above. 

Then, control goes to a decision step S32, whereat a magic number read out from 
the memory and an encrypted magic number read out from the DVD are supplied 
and the encrypted magic number is decoded by the selection key (k). In the decision 
step S32, it is determined whether or not a result which results from decoding the 
encrypted magic number by the selection key (k) and the magic number agree with 
each other. If the decoded result and the magic number which is not encrypted do 
not agree with each other as represented by a NO at the decision step S32, then it is 
determined that the selection key (k) is not the encryption key which encrypts the 
encrypted magic number. There fore, control goes to a step S3 3, whereat an 
encryption key of the next generation is calculated from the selection key (k) by 
using a one-way function (F) and the thus calculated encryption key of the next 
generation is set to a new selection key (k). 

Then, control goes back to the step S32 and the similar processing is repeatedly 
executed. 

If on the other hand the result which results from decoding the encrypted magic 
number by the selection key and the magic number agree with each other as 
represented by a YES at the decision step S32, then it is determined that the 
selection key (k) is the encryption key which encrypts the encrypted magic number. 
Therefore, control goes to the next step S34, whereat this selection key (k) is set to 
the work key and this work key is stored in a predetermined memory (e.g., 
register). Then, the processing in the flowchart of FIG. 9 is ended and control goes 
back to the flowchart of FIG. 7. 

Thereafter, control goes to the step S13 of the flowchart shown in FIG. 7, whereat 
encrypted information is decoded by using the work key obtained at the step S12 
(steps S31 to S34 shown in FIG. 9) and outputted as plain text data (plain text). 
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As'described above, when information encrypted by the software of the computer is 
decoded, it is possible to decode information encrypted by at least the encryption 
key (Ki) or encryption keys (Ki-1 through Kl) of hierarchies lower than the 
encryption key (Ki) based on the encryption key of arbitrary hierarchy distributed. 

As described above, according to the embodiment of the present invention, since 
information encrypted by the previous encryption keys can be decoded based on the 
latest encryption key (may be master key or encryption key of arbitrary hierarchy), 
it is sufficient that only the latest encryption key is memorized. Therefore, unlike 
the prior art, in addition to the previous encryption keys, new encryption keys need 
not be memorized and managed each time an enciyption key is decrypted and an 
encryption key is varied. Thus, encryption keys can be managed with ease. : 

Further, in the embodiment shown in FIG. .6^since^ 

is stored in the memory 12 disposed within the IG .chip U ,;an enciyption key of a 
predetermined hierarchy is calculated within ;th<^ : 
information is decoded, the encryption key can be prevented from being leaked to 
the outside and decryption of the encryption key can be made diffi 
the above-mentioned embodiment, since the processing for caiculatirig tKe work 
key and the processing for decoding the encrypted information^ out .. 

by the same decoding circuit 14, the circuit can be saved! - " : f ' r ^ r ' • 



The manner in which encryption keys are distributed: will be ^described; with \ 
reference tto FIGS; TO to 12: 




Then, when the DVD 21 is set on a E)VD reader 23 -Jj 

anduandbandd 



reads on; the encrypted information from the DVD 21 through the DVD reader and 
decodes the encrypted information read out from the DVD 21 based on the 
previously-entered encryption key A. Of course, encrypted information recorded on 
the DVD 22 can be decoded in the same way as in the DVD 21. 

Accordingly, this case is suitable for distributing different encryption keys at every 
title of DVD. For example, encryption keys computed from different master keys 
by one-way function may be assigned to every title of DVD. 

Furthermore, even when the encryption key A corresponding to the title A is 
decrypted, the encryption key A corresponding to the tit^ 
encryption key A2 of higher hierarchy and continuation iiriform 
encrypted by the encryption key A2, the encryption key A that is not^ 
can be easily obtained from the encryption key A^ 

similarly as described above with reference tdltfre flowcHart of FIG; 9. TheWfbre,; • : 



rtiich a code indicative of encryption key is 
inserted into software for decoding airencryptic^ 



As shown in FIG. 1 1, a code indicative of elibiyptipn key is^ 
software provided on a decoding board 33 for decoding encryption information. 
Then, this decoding board 33 is loaded onto the.cp^^ 

23 can decode ■encrypted information recorded on, DVDsj 3.1 , 32 through the , t v . . 
decodine .boards 3'3" : and outnut ''movirie%ictiircJ still -nicture^and-'souhds. 
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keys (K 1 through Kn) can be decoded. Since it is very difficult for the users to 
decrypt data inserted into the hardware such as the integrated circuit, 
illegal use of the encryption key can be suppressed. 



FIG. 12 illustrates the manner in which an encryption key is inserted into an 
integrated circuit and distributed. As shown in FIG: 12, a maker having a legal 
obligation to keep secret manufactures an integrated circuit 41 in which a master 
key is stored. The IC chip 1 1 can be applied to the integrated circuit 41. In the case 
of this example, the integrated circuit 41 is supplied to a maker A. Then, after the 
integrated circuit 41 was assembled into a DVD player 43, the integrated circuit 41 
is distributed to the user. 

On the other hand, magic number encrypted: by using an enc^ _ 
predetermined hierarchy memorized in the;integrated;^ 
encryption informatipn enctyjDted :by^# ; 
42. J III 



When the,useiisetsithe DVD 42<pn ttie ; DVI^ 

from the integrated circuit 41 ahda work keyas obtained in the same manner as that 
described with reference to the flowcharts shown in FIGS. 7 and 8, whereby - ^\ 
encrypted information recorded on the DVD 42 is. decoded. and corresponding % ;; r 
moving picture^ still picture and sounds can be outputted; r - ^ - e J * t <• 

When -the faster key is memorized in thefintegfated circuit as described above, the 
DVD player 43 is able to decode arid;output encrypted information recorded on the 
DVD 42 regardless: of hierarchy- 
recorded 6nthe-DVD;42/ 
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integrated circuit 41 memorizes the master key therein so thai an encryption key of 
an -arbitrary hierarchy can be formed from this master key by using the one-way 
function (F). Thus, the information encrypted by the encryption key of the 
predetermined hierarchy recorded on the DVD 42 can be decoded. 

Therefore, even if the encryption key is updated and information encrypted by an 
encryption key of a new hierarchy is recorded on the DVD 42 because the previous 
encryption key is decrypted, the user can decode and reproduce such information 
satisfactorily in a usual manner. 

Since DVD players which do not have the -integrate circuit 4 1 with encryption 
keys stored therein are unable to correctly reproduce the DVD 42 in which 
information encrypted by this encryption key is recorded, use of information can be 
limited properly. Further, since computers ^ the decoding board in 

which encryption keys are memorized are un^le ta£ reproduce a recording 

medium in which information encrypt the encryption key, use of information 
can be limited properly. . ; 1 

Furthermore, encryption keys are distributed in the form of alphanumeric 
characters, bar code or hologram pr intedlori the recording medium such as DVD or 
the case of DVD, data corresponding to .th^enQ^ption key is memorized m the IC 
card, data corresponding to an enciypti6n k^ is memorized in 

the integrated circuit which is difficult to be used illegally, data corresponding to 
the encryption key is inserted Jinta the- d^ data corresponding to ; 

the encryption key is distributed through the telephone network: line, or the network, 
whereby the encryption key can be distributed;extremely easily. _ r 

While the © V© 4s ^used as .the • recoffti^ 





AlthoughHhe computer decodes encrypted' information by^usmg^soitware^as ^ 
described above,; the following variant is. aiso possible. That is, software is not used . 
and an. IC: chip Embodying the present - - - ? ^ : ^ At, °^ 1 ,fKl " f? 
computer iand the ilC-chipimawdecodei 
computers wK 
merfionz^df 
information 

According to the encryption method ^ above, 
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since encryption keys are hierarehized by using ihe one-way funciion, the decodin 
sride which retains the latest encryption key can decode information encrypted by 
the previous encryption key. Therefore, the generation (hierarchy) of encryption 
keys can be managed with ease when the encryption key is updated. 

Further, according to the encryption apparatus and the decoding apparatus 
described above, since encryption keys are calculated from the master key 
memorized in the first memory by using the one-way function and the decoding 
means decodes information based on the encryption key memorized in the second 
memory, the decoding side which holds the master key can decode information 
encrypted by the encryption key computed from the master key ^T^ 
generation (hierarchy) of encryption keys can be managed with ease ^heii the r 
encryption key is updated. Furthermore, sinc£ the above-mentioned rfe^ 
means are disposed within the single chip, the lea^ 

outside can. _.he -.suppressed, • th^ret>y- : ^ : . ^ ? ? f > 

reliable. ;■ ^f!^^^^:^^^v : ^?] 

Having described preferred embodiment the 
accompanying drawings, it is to be understood that the invention is riot limited to 
those precise embodiments and that vanbu could be 

effected therein by one skilled in the art without ^ 
invention as defined in the appended claims- 
Data supplied from the esp@cenet database - Worldwide 
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